: Eventhough this article wasn't specifically regarding network operations, it : does come down to the most fundamental of network operating practices. : Create policies and the procedures that enable those policies. Then enforce : them VERY strictly. : Folks that handle sensitive info (proprietary code, personal info, HIPPA : FERPA, SOX, .mil, etc, etc) should be allowed to download software only from : company servers where all software has been cleared by folks that're experts : in evaluating software packages. Not from the general internet. On Tue, 10 May 2005, Scott Morris wrote: : Closing people's systems down from "any" other software installations isn't : necessarily the solution. It can delay progress in many cases, and not : everyone has IT staff that may be as up to speed as necessary. Ok, for smaller companies, yes. You have to trade off productivity and risk. But in a smaller company you will likely know each individual and their level of tech savvy. Red flags should pop up if they have a low level of understanding, have access to machines with sensitive or proprietary info and have the permission level to install software. Also, in this case we're talking Cisco, NASA, .mil networks and research labs. They have the ability to enforce policy and the need to be VERY risk adverse WRT losing sensitive data. In organizations that size, it's the enforement that's hard to pull off. It requires strict policy definition and procedure adherence. Don't give folks that have access to machines that hold sensitive info the ability to download software unless you know they're savvy enough to do so safely. If you do allow the less savvy folks whom have access to sensitive machines to install software, force the packages to be downloaded from a company repository. : The requirement should be more along the lines of software designed to scan : the system for things like that and alert/remove it. That kind of : requirement at least gives flexibility and a good kick in the butt to : implement good assessment tools at the PC or network level. In the article, it was too late by that time. The data was compromised. They didn't trade off risk and productivity well, or didn't enforce policy through procedure, or... : All it takes is one user outside the "norm" to mess up LOTS of work and : policies trying to keep things right! Anyone with access to machines that hold sensitive material should be held to a higher standard than the rest of the organization. You risk losing your treasure through these people. scott